3 Answers
3

Securing it really depends on how it's being served. But by default it comes with it's own web server. /etc/webmin/miniserv.conf has allow and deny directives. So you can use this to only allow access from the localhost.

Then as you say just ssh in using port tunneling to access it. At that point in theory it would be as secure as your ssh setup is. If someone gains ssh access to your server then you already have issues.

You mentioned that "Securing it really depends on how it's being served", is there a more secure way of serving it rather than the inbuilt web server? I was thinking of using the inbuilt server so that it was not reliant on the configurations that it will be administrating.
–
JosiahMay 7 '10 at 3:37

I think you're on the right track in securing it now. The only advantage that apache would have over the built in server would probably be more options for authentication and perhaps some ram savings if the server needs to have apache running any ways. But there's a trade off for that. As it also means that if you mess up your apache config you would find yourself unable to access webmin as well.
–
3dinfluenceMay 7 '10 at 13:10

To further harden SSH you can use permitopen directives to restrict what ip addresses can forward ports and what ips/ports they can forward to. I believe you can even restrict this per user.
–
3dinfluenceMay 7 '10 at 13:18

Won't points #2 and #3 be rectified by only allowing localhost access? Is there an additional security benefit to changing the default port (besides obfuscation)? When you say limiting access in the firewall, wont that restrict general access to the server also (visitors to my website)?
–
JosiahMay 7 '10 at 3:35

1

#3: Firewalls can do port to IP only rules. Say Webmin is running on port 9665, you can make it so only IP 1.2.3.4 can access your server via port 9665. If 2.2.3.4 tried, they would be denied.
–
David RickmanMay 7 '10 at 4:38

1

#2: It's obfuscation, sure. But the bots that would scan it or any "hacker" that scans for it won't find it immediately, they will need a much more broad scan to locate it. Which requires more resources for the bots and more time for the "hacker"
–
David RickmanMay 7 '10 at 4:40

The question is: will I have any better protection using a Firewall port to ip rule than I would if I only allowed access locally and used an SSH tunnel?
–
JosiahMay 7 '10 at 5:13

1

SSH will allow for key based authentication only. Which will always be more secure than using username and passwords. However if you restrict the IP addresses that are allowed to access webmin then this may not make much difference.
–
3dinfluenceMay 7 '10 at 13:16